On Fri, 14 Feb 2014 16:32:21 +0100 Aleksander Kurczyk <akurc...@outlook.com> wrote:
> Hi, > > Now my firewall looks like this: > > sudo iptables -F > sudo iptables -P INPUT DROP > sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j > ACCEPT sudo iptables -A INPUT -i lo -j ACCEPT > sudo iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT > sudo iptables -A INPUT -p tcp --dport 22005 -j ACCEPT > sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT > sudo iptables -A INPUT -p tcp --dport 81 -j ACCEPT > sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 81 -j DNAT > --to 192.168.0.10:80 I believe this '--to' should be '--to-destination', I have an old rule using the latter, but I haven't run any traffic through it for a few years, and iptables does evolve slowly, so things might be different now. > > I've found that if the FORWARD "-a" default policy is to accept > everything I don't have to use the second rule. I think that the > problem is that my Raspberry is not mine router so the PC is > responding directrly to the router which in turns don't know what to > do. Is there a way to make iptables make my PC responding to it and > then to the router - some IP level proxy etc.? > Your problem here is that the default gateway of your PC is the router, not the Pi. This is normally avoided by using a two-NIC computer as the firewall-router, when this machine become the network default gateway. You may be able to make the Pi the default gateway for the PC, and add enough forwarding rules to the Pi firewall to allow the PC the Internet access it needs. Alternatively, you could try routing rules in the PC firewall (assuming it is a Linux machine) which would return packets with a source port of 80 to the Pi instead of the default gateway. But try '--to-destination' first, as the Pi might currently not be re-writing the source address of packets sent to the PC, and this might make a difference. I can't say for sure as my rule worked, but that was via a two-NIC machine which was the network default gateway, so re-writing might not have been occurring. -- Joe -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140214160449.7f0c6...@jretrading.com
